feat: NDSEP complete production-ready platform

.env.example

@@ -0,0 +1,83 @@
+# ============================================================
+# NDSEP Local Development Environment Variables
+# Copy this file to .env and update values as needed.
+# For production, see .env.production.example
+# ============================================================
+
+# ── Database ─────────────────────────────────────────────────
+DATABASE_URL=postgresql://ndsep_user:ndsep_dev_password@localhost:5432/ndsep_db
+LOCAL_DATABASE_URL=postgresql://ndsep_user:ndsep_dev_password@localhost:5432/ndsep_db
+NDSEP_PG_URL=postgresql://ndsep_user:ndsep_dev_password@localhost:5432/ndsep_db
+POSTGRES_PASSWORD=ndsep_dev_password
+
+# ── Redis (optional — app degrades gracefully without it) ────
+REDIS_URL=redis://localhost:6379
+
+# ── Auth / JWT ───────────────────────────────────────────────
+JWT_SECRET=dev-jwt-secret-change-me-in-production-min-32-chars
+OWNER_NAME=Dev Admin
+
+# ── Application ──────────────────────────────────────────────
+NODE_ENV=development
+PORT=3000
+LOG_LEVEL=debug
+VITE_APP_TITLE=NDSEP - Dev
+ENABLE_DEMO_LOGIN=true
+
+# ── Field-Level Encryption (AES-256-GCM) ─────────────────────
+# 64-char hex string (32 bytes). Generate with:
+#   node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+FIELD_ENCRYPTION_KEY=0000000000000000000000000000000000000000000000000000000000000000
+
+# ── Stripe (test mode) ──────────────────────────────────────
+STRIPE_SECRET_KEY=sk_test_placeholder
+VITE_STRIPE_PUBLISHABLE_KEY=pk_test_placeholder
+STRIPE_WEBHOOK_SECRET=whsec_test_placeholder
+
+# ── Keycloak (optional for local dev) ────────────────────────
+KEYCLOAK_URL=http://localhost:8080
+KEYCLOAK_REALM=ndsep
+KEYCLOAK_CLIENT_ID=ndsep-api
+KEYCLOAK_CLIENT_SECRET=dev-client-secret
+
+# ── APISIX (optional) ───────────────────────────────────────
+APISIX_ADMIN_URL=http://localhost:9180
+APISIX_ADMIN_KEY=dev-admin-key
+
+# ── Temporal (optional) ─────────────────────────────────────
+TEMPORAL_ADDRESS=localhost:7233
+TEMPORAL_NAMESPACE=ndsep-dev
+
+# ── Kafka (optional) ────────────────────────────────────────
+KAFKA_BOOTSTRAP_SERVERS=localhost:9092
+
+# ── OpenSearch (optional) ────────────────────────────────────
+OPENSEARCH_URL=http://localhost:9200
+OPENSEARCH_USER=admin
+OPENSEARCH_PASS=admin
+
+# ── Sector Regulator API Keys (dev placeholders) ─────────────
+# These are validated at startup — dev mode shows warnings, production throws errors
+NCC_API_KEY=
+NHIA_API_KEY=
+NERC_API_KEY=
+DPR_API_KEY=
+NAICOM_API_KEY=
+CBN_FINTECH_API_KEY=
+
+# ── SMS (Termii) ─────────────────────────────────────────────
+TERMII_API_KEY=dev-termii-key
+TERMII_SENDER_ID=NDSEP
+TERMII_PHONE=+2340000000000
+
+# ── PostgreSQL SSL (disabled for local dev) ──────────────────
+DB_SSL_REJECT_UNAUTHORIZED=false
+
+# ── CORS ─────────────────────────────────────────────────────
+CORS_ORIGINS=http://localhost:3000,http://localhost:5173
+
+# ── Webhook Signing ─────────────────────────────────────────
+WEBHOOK_SIGNING_SECRET=dev-webhook-secret
+
+# ── KMS Provider (local = no external KMS needed for dev) ────
+KMS_PROVIDER=local

.env.production.example

@@ -0,0 +1,117 @@
+# ============================================================
+# NDSEP Production Environment Variables
+# Copy this file to .env.production and fill in real values.
+# NEVER commit .env.production to version control.
+# ============================================================
+
+# ── Database ─────────────────────────────────────────────────
+POSTGRES_PASSWORD=CHANGE_ME_STRONG_PASSWORD
+DATABASE_URL=postgresql://ndsep_user:CHANGE_ME_STRONG_PASSWORD@postgres:5432/ndsep_db?sslmode=require
+LOCAL_DATABASE_URL=postgresql://ndsep_user:CHANGE_ME_STRONG_PASSWORD@postgres:5432/ndsep_db?sslmode=require
+NDSEP_PG_URL=postgresql://ndsep_user:CHANGE_ME_STRONG_PASSWORD@postgres:5432/ndsep_db?sslmode=require
+
+# ── Redis ────────────────────────────────────────────────────
+REDIS_URL=redis://:CHANGE_ME_REDIS_PASSWORD@redis:6379
+
+# ── Auth / JWT ───────────────────────────────────────────────
+JWT_SECRET=CHANGE_ME_AT_LEAST_32_CHARS_RANDOM_STRING
+VITE_APP_ID=your-manus-app-id
+OAUTH_SERVER_URL=https://api.manus.im
+VITE_OAUTH_PORTAL_URL=https://manus.im
+OWNER_OPEN_ID=your-owner-open-id
+OWNER_NAME=NDPC Administrator
+
+# ── Stripe ───────────────────────────────────────────────────
+STRIPE_SECRET_KEY=sk_live_CHANGE_ME
+VITE_STRIPE_PUBLISHABLE_KEY=pk_live_CHANGE_ME
+STRIPE_WEBHOOK_SECRET=whsec_CHANGE_ME
+
+# ── Application ──────────────────────────────────────────────
+NODE_ENV=production
+PORT=3000
+LOG_LEVEL=info
+VITE_APP_TITLE=NDSEP - National Data Sovereignty Enforcement Platform
+VITE_APP_LOGO=https://ndsep.gov.ng/logo.png
+
+# ── Built-in Forge API (Manus Platform) ─────────────────────
+BUILT_IN_FORGE_API_URL=https://api.manus.im
+BUILT_IN_FORGE_API_KEY=CHANGE_ME
+VITE_FRONTEND_FORGE_API_KEY=CHANGE_ME
+VITE_FRONTEND_FORGE_API_URL=https://api.manus.im
+
+# ── Analytics ────────────────────────────────────────────────
+VITE_ANALYTICS_ENDPOINT=https://analytics.ndsep.gov.ng
+VITE_ANALYTICS_WEBSITE_ID=ndsep-production
+
+# ── Worker / Scheduler ───────────────────────────────────────
+WORKER_DATABASE_URL=postgresql://ndsep_user:CHANGE_ME_STRONG_PASSWORD@postgres:5432/ndsep_db?sslmode=require
+WORKER_RELAY_URL=http://ndsep-api:3000/api/workers/event
+
+# ── Middleware Services ───────────────────────────────────────
+KAFKA_BOOTSTRAP_SERVERS=kafka:9092
+NIFI_URL=http://nifi:8080
+AIRFLOW_URL=http://airflow:8080
+OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4318/v1/traces
+
+# ── Temporal (Workflow Engine) ────────────────────────────────
+TEMPORAL_ADDRESS=temporal:7233
+TEMPORAL_NAMESPACE=ndsep
+
+# ── Keycloak (IAM) ───────────────────────────────────────────
+KEYCLOAK_URL=http://keycloak:8080
+KEYCLOAK_REALM=ndsep
+KEYCLOAK_CLIENT_ID=ndsep-api
+KEYCLOAK_CLIENT_SECRET=CHANGE_ME
+
+# ── Permify (Fine-Grained Authorization) ─────────────────────
+PERMIFY_URL=http://permify:3476
+
+# ── TigerBeetle (Financial Ledger) ───────────────────────────
+TIGERBEETLE_ADDRESS=tigerbeetle:3001
+TIGERBEETLE_CLUSTER_ID=0
+
+# ── OpenSearch (Full-Text Search) ────────────────────────────
+OPENSEARCH_URL=http://opensearch:9200
+OPENSEARCH_USER=admin
+OPENSEARCH_PASS=CHANGE_ME
+
+# ── APISIX (API Gateway) ─────────────────────────────────────
+APISIX_ADMIN_URL=http://apisix:9180
+APISIX_ADMIN_KEY=CHANGE_ME
+
+# ── Dapr (Sidecar Runtime) ───────────────────────────────────
+DAPR_HTTP_PORT=3500
+DAPR_GRPC_PORT=50001
+
+# ── Fluvio (Stream Processing) ───────────────────────────────
+FLUVIO_SC_URL=fluvio-sc:9003
+
+# ── Mojaloop (Digital Payments) ──────────────────────────────
+MOJALOOP_URL=http://mojaloop:3000
+
+# ── OpenAppSec (WAF) ─────────────────────────────────────────
+OPENAPPSEC_URL=http://openappsec:8080
+
+# ── Lakehouse (Data Lake) ────────────────────────────────────
+ICEBERG_CATALOG_URL=http://iceberg-rest:8181
+
+# ── CORS ──────────────────────────────────────────────────────
+CORS_ORIGINS=https://ndsep.nitda.gov.ng,https://app.ndsep.ng
+
+# ── Security ─────────────────────────────────────────────────
+ENABLE_DEMO_LOGIN=false
+
+# ── Field-Level Encryption (AES-256-GCM) ─────────────────────
+# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+FIELD_ENCRYPTION_KEY=CHANGE_ME_64_CHAR_HEX_STRING
+
+# ── PostgreSQL SSL Certificate Verification ───────────────────
+# Path to CA certificate for verifying PostgreSQL server identity
+DB_SSL_CA=/path/to/ca.crt
+# Set to "true" (default in production) to reject self-signed certs
+DB_SSL_REJECT_UNAUTHORIZED=true
+
+# ── Volume Encryption ────────────────────────────────────────
+# Paths to encrypted volumes (use LUKS/dm-crypt or cloud-managed encryption)
+PG_DATA_DIR=/var/lib/ndsep/postgres-data
+REDIS_DATA_DIR=/var/lib/ndsep/redis-data

.github/branch-protection.md

@@ -0,0 +1,43 @@
+# Branch Protection Rules — NDSEP
+
+Apply these rules in GitHub Repository Settings → Branches → Branch protection rules.
+
+## `main` branch
+
+| Setting | Value |
+|---------|-------|
+| **Require a pull request before merging** | Yes |
+| Required approving reviews | **2** |
+| Dismiss stale pull request approvals | Yes |
+| Require review from code owners | Yes |
+| **Require status checks to pass before merging** | Yes |
+| Required checks: | `Node.js CI (TypeScript + Tests)` |
+| | `Go CI (Build + Vet + Test)` |
+| | `Security Scan` |
+| | `CodeQL — JavaScript/TypeScript` |
+| | `Semgrep SAST` |
+| **Require branches to be up to date before merging** | Yes |
+| **Require signed commits** | Recommended |
+| **Require linear history** | Yes (squash merge) |
+| **Include administrators** | Yes |
+| **Restrict pushes** | Only deploy bots and release managers |
+| **Allow force pushes** | No |
+| **Allow deletions** | No |
+
+## `develop` branch
+
+| Setting | Value |
+|---------|-------|
+| Require a pull request before merging | Yes |
+| Required approving reviews | **1** |
+| Required status checks | `Node.js CI (TypeScript + Tests)` |
+| Require branches to be up to date | Yes |
+
+## `staging` branch
+
+| Setting | Value |
+|---------|-------|
+| Require a pull request before merging | Yes |
+| Required approving reviews | **1** |
+| Required status checks | `Node.js CI (TypeScript + Tests)`, `Security Scan` |
+| Require branches to be up to date | Yes |